In October of 2023, an exploit was revealed by the threat actor PRISMA. This exploit generated persistent Google cookies through token manipulation. Now, attackers are exploiting a Google OAuth endpoint known as “MultiLogin” to restore expired authentication cookies. This allows them to gain access to accounts, even if the password has been reset. Barracuda MSP recommends reviewing this Cybersecurity Threat Advisory in detail to learn more about the potential impact of the MultiLogin exploit.
What is the threat?
There were two information stealers reported in November 2023 known as Lumma and Rhadamanthys. These two groups claimed to be able to restore expired Google authentication cookies. The cookies allowed them to gain unauthorized access to Google accounts even after the original owners logged out, reset their passwords, or ended their session.
Why is it noteworthy?
The MultiLogin endpoint allows the synchronization of Google accounts across different services. It receives a vector containing account IDs and auth-login tokens for handling multiple sessions or transitioning between user profiles. According to CloudSEK researchers, information-stealing malware abusing the MultiLogin endpoint extracts tokens and account IDs from Chrome profiles logged into a Google account. The stolen information contains two crucial pieces of data: service (GAIA ID) and encrypted_token. The tokens are decrypted via an encryption located in Chrome’s “Local State” file. This is also used to decrypt saved passwords in the browser and maintain persistent access on compromised accounts via token:GAIA pairs with MultiLogin and regenerating expired Google Service cookies.
What is the exposure or risk?
Lumma first adopted the exploit on November 14, applying blackboxing techniques to hide the mechanism from competitors and prevent the feature’s replication. However, other hacker groups were able to copy the exploit. These groups included Rhadamanthys, Stealc, Medusa, RisePro, and Whitesnake. Additionally, Lumma has since turned to using SOCKS proxies to evade Google’s abuse detection measures and implemented encrypted communication between the malware and MultiLogin.
What are the recommendations?
Barracuda MSP recommends the following actions to limit potential damage of the MultiLogin exploit:
- To protect your credentials from cookie theft, do not use built-in services to save passwords.
- Change your settings to delete cookies automatically after closing the browser.
References
For more in-depth information on the recommendations, please visit the following links:
- Malware abuses Google OAuth endpoint to ‘revive’ cookies, hijack accounts (bleepingcomputer.com)
- Malware exploits undocumented Google OAuth endpoint to regenerate Google cookies (securityaffairs.com)
- Exploit provides access to Google accounts: password change doesn’t help – Techzine Europe
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.
